[Please direct follow-ups to tech-pkg.]
I've just updated our openssl package to 0.9.6e, and there are a few
things our users should know. In case you've been living in a cave
this past week, this update fixes multiple vulnerabilities, including
potentially exploitable buffer overrun errors. See
ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc
The package also includes the 2002-08-04 fix to the fix for ASN1 checks.
It also involves on ABI change on all platforms, so all binaries linked
with the the openssl package shared libraries should be rebuilt. The good
news is, most packages built against NetBSD-1.5* and NetBSD-1.6* (that
is, from NetBSD-1.5 release candidates to current) will be linked with
the *in-tree* openssl libraries. You may update your NetBSD-1.5.3
installation from the release branch *without* needing to recompile any
of those packages. The URI above gives details for those who are familiar
with upgrading the base system from source; those who are not, see
http://www.netbsd.org/Documentation/current/
*** ***IMPORTANT*** ***** ***IMPORTANT*** ***** ***IMPORTANT*** ***
Failure to update your base system before updating packages will force the
package system to automatically add the openssl package as a dependendency
for many packages for which this would not otherwise be the case!
Therefore, please update your base system openssl libraries first!
*** *************** ***** *************** ***** *************** ***
Because of the fact that most of the packages on the installed user base
which make use of openssl shared libraries are not using the package, but
rather the base system, it's not desirable or approriate to mark all such
packages obsolete (as was done with libpng). This is not a problem for
those maintaining installed packages, as the package system will normally
force you to ugrade all dependents of a package to upgrade said package.
Those maintaining a collection of binary packages should however, remove
these packages manually. [I've already done this on ftp.netbsd.org.] Note,
there are no security consequences of keeping the old dependents around,
as long as the old openssl package is removed. On ELF platforms, binaries
in such packages won't even run because of the "soname" mismatch.
To help with the above, I've compiled lists of packages which may be
affected. Here is a list of all packages which currently require a
version of openssl greater than that found in the netbsd-1-5 release
branch, and so are likely to require openssl on netbsd-1-5:
cervisia<=1.4.1nb1 kdemultimedia<=1.2.2nb1 kstars<=1.9
kdbg<=1.2.5 kdenetwork<=1.2.2nb1 ktail<=1.5.1nb1
kdeaddons<=1.2.2 kdepim<=1.2.2nb1 kyahoo<=1.7nb1
kdeadmin<=1.2.2nb1 kdesdk<=1.2.2nb1 openssh<=1.4.0.1
kdeartwork<=1.2.2 kdetoys<=1.2.2nb1 p5-Net-SSLeay<=1.17
kdebase<=1.2.2nb1 kdeutils<=1.2.2nb1 qt2-designer-kde<=1.3.1nb2
kdebindings<=1.2.1nb1 kdevelop-base<=1.1.2 quanta-docs<=1.0nb1
kdeedu<=1.0.2 kmysqladmin<=1.5.1nb1 quanta<=1.9.9.2nb1
kdegames<=1.2.2nb1 knights<=1.4.6nb1 ruby-openssl<=1.1.1
kdegraphics<=1.2.2nb1 koffice<=1.1.1nb1 uml<=1.0.3nb1
kdelibs<=1.2.2nb1 koncd<=1.7.1nb1
and here is a list of all packages which currently use openssl in any form,
excluding the ones already listed above:
ap-ssl<=1.8.10nb1 ja-samba<=1.2.4.1.0 postgresql-pltcl<=1.2.1
bind<=1.2.1 lftp<=1.5.2 postgresql-server<=1.2.1
bitchx<=1.0.3.18 lhs<=1.1 py21-amkCrypto<=1.1.3
cadaver<=1.19.1 libwww<=1.3.2 py21-postgresql<=1.2
courier-authpgsql<=1.37.1 links-gui<=1.1.0.2 qpopper<=1.0.4nb1
courier-imap<=1.4.2nb1 links<=1.1.0.2 racoon<=10020507a
cue<=10010917nb1 lynx<=1.8.5.0.7 samba<=1.2.5
cups<=1.1.14nb1 mutt<=1.4 sendmail<=1.11.6nb1
curl<=1.9.7 neon<=1.21.3 sitecopy<=1.10.15
cyrus-imapd<=1.0.16nb1 nessus-libraries<=1.2.0 snort-pgsql<=1.8.7
cyrus-sasl<=1.5.27nb1 net-snmp<=1.0.0.2 speakfreely<=1.2
docsis<=1.7.5 netsaint-plugins<=1.2.9.4nb2 sslwrap<=106
echoping<=1.1.0 ntop2<=1.1 stunnel<=1.22
elinks<=1.3.0 openldap<=1.0.23 sylpheed-claws<=1.8.0
ethereal<=1.9.5 p5-Crypt-SSLeay<=1.35 sylpheed<=1.8.0
evolution<=1.0.8 p5-DBD-postgresql<=1.13nb1 tcl-postgresql<=1.2.1
exim<=1.05 p5-postgresql<=1.9.0 tcpdump<=1.7.1
fetchmail<=1.9.13 pchar<=1.4 tk-postgresql<=1.2.1
gkrellm-snmp<=1.18nb2 php-imap<=1.1.2 ucd-snmp<=1.2.4
gtksql<=1.3 php-pgsql<=1.0.18 vtun<=1.5
htmldoc-x11<=1.8.19 php-pgsql<=1.1.2 w3m-img<=1.3
htmldoc<=1.8.19 pine<=1.44 w3m<=1.3nb2
http_load<=10020104 postfix<=1.1.11nb1 winbind<=1.2.5
imap-uw<=1001.1 postgresql-client<=1.2.1 xchat-gnome<=1.8.9
imapfilter<=1.7.2 postgresql-lib<=1.2.1 xchat<=1.8.9nb1
isakmpd<=10020403 postgresql-plperl<=1.2.1 zebedee<=1.3.1
If your collection is not large, it may be more convenient to run a command such
as the following over all packages:
for p in $(find -P /usr/pkgsrc/packages/* -type f -name \*.tgz)
do
tar --fast-read --to-stdout -xzf $p +CONTENTS \
| grep -q '^@pkgdep openssl' \
&& echo $p || true
done \
| sed 's/All/*/' \
> obsolete-packages
review the output, then
xargs rm < obsolete-packages
making adjustments for the location and layout of your collection, as appropriate.
Frederick